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Abstract. Control systems arc usually modeled by differential equations describing how physical phenomena 
can be influenced by certain control parameters or inputs. Although these models are very powerful when 
dealing with physical phenomena, they are less suitable to describe software and hardware interfacing the 
physical world. For this reason there is a growing interest in describing control systems through symbolic 
models that are abstract descriptions of the continuous dynamics, where each "symbol" corresponds to an 
"aggregate" of states in the continuous model. Since these symbolic models are of the same nature of the 
models used in computer science to describe software and hardware, they provide a unified language to study 
problems of control in which software and hardware interact with the physical world. Furthermore the use of 
symbolic models enables one to leverage techniques from supervisory control and algorithms from game theory 
for controller synthesis purposes. In this paper we show that every incrementally globally asymptotically stable 
nonlinear control system is approximately equivalent (bisimilar) to a symbolic model. The approximation 
error is a design parameter in the construction of the symbolic model and can be rendered as small as desired. 
Furthermore if the state space of the control system is bounded the obtained symbolic model is finite. For 
digital control systems, and under the stronger assumption of incremental input— to— state stability, symbolic 
models can be constructed through a suitable quantization of the inputs. 



The idea of using models at different levels of abstraction has been successfully used in the formal methods 
community with the purpose of mitigating the complexity of software verification. A central notion when 
dealing with complexity reduction, is the one of bisimulation equivalence, introduced by Milner |Mil89j and 




Park |Par81j in the 80s'. The key idea is to find and compute an equivalence relation on the state space of the 
system, that respects the system dynamics. This equivalence relation induces a new system on the quotient 
space that shares most properties of interest with the original model. This approach leads to an alternative 
methodology for the analysis and control of large-scale control systems. In fact from the analysis point of 
view, symbolic models provide a unified framework for describing continuous systems as well as, hardware 
and software interacting with the physical environment. Furthermore, the use of symbolic models allows 
one to leverage the rich literature on supervisory control |RW87] and algorithmic approaches to game theory 
|AVW03| . for controller design. 

After the pioneering work of Alur and Dill |AD94j that showed existence of symbolic models for timed au- 
tomata, researchers tried to identify more general classes of continuous systems admitting finite bisimulations. 
The existing results can be roughly classified into four main different lines of research: 

(i) Simulation/bisimulation: symbolic models have been studied in |TP06I lTab07bl [Gir07] for discrete- 
time control systems, in |Tab07a| for continuous-time control systems and in [LPSOOj for o-minimal 
hybrid systems among others. Reduction of continuous control systems to continuous control systems 
with lower dimensional state space has been addressed in |vdS04l IGra07[ ITP04[ IPvdSB06] ; 

(ii) Quantized control systems: finite abstractions have been studied in |BMP02I IBMP06] for certain 
classes of control systems with quantized inputs; 



1. Introduction 
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(iii) Qualitative reasoning: symbolic models were constructed using methods of qualitative reasoning 
in jRK03llKui94] : 

(iv) Stochastic automata: abstractions of continuous-time control systems by means of stochastic au- 
tomata have been studied in [LNOll ISch03j . 

We defer to the last section of the paper a comparison between the results presented in this paper and the 
above lines of research. In this paper we follow the line of research based on simulation/bisimulation by 
making use of the recently introduced notion of approximate bisimulation [GP07^, that captures equivalence of 
systems in an approximate setting. By relaxing the usual notion of bisimulation to approximate bisimulation, 
a larger class of control systems can be expected to admit symbolic models. In fact the work in |Tab07a] shows 
that for every asymptotically stabilizable control system it is possible to construct a symbolic model, which 
is based on an approximate notion of simulation (one-sided version of bisimulation). However, if a controller 
fails to exist for the symbolic model, nothing can be concluded regarding the existence of a controller for the 
original model. This drawback is a direct consequence of the one-sided notion used in |Tab07aj . For this 
reason, an extension of the results in |Tab07aj from simulation to bisimulation is needed. The aim of this 
paper is precisely to provide such extension. The key idea in the results that we propose is to replace the 
assumption of asymptotic stabilizability of |Tab07a) with the stronger notion of asymptotic stability. We show 
that every incrementally globally asymptotically stable nonlinear control system admits a symbolic model that is 
an approximate bisimulation, with a precision that is a-priori defined, as a design parameter. Furthermore, if 
the state space of the control system is bounded the symbolic model is finite. Moreover, for incrementally input- 
to-state stable digital control systems, i.e. systems where control signals are piecewise-constant, a symbolic 
model can be obtained by quantizing the space of inputs. As an illustrative example, we apply the proposed 
techniques to a control design problem for a pendulum. A preliminary version of these results appeared in 
[PGT07) . 



2. Control systems and stability notions 

2.1. Notations. The symbols N, Z, M, M+ and Rq denote the natural, integers, real, positive and nonnegative 
real numbers, respectively. Given a vector x € M" we denote by x' the transpose of x and by Xi the i-th 
element of x; furthermore ||x|| denotes the infinity norm of x; we recall that ||x|| := maa;{|a;i|, \x2\, 
where \xi\ is the absolute value of Xi. The symbol B£{x) denotes the closed ball centered at x G M" with 
radius e G R^, i.e. B,{x) = {y G E" : ||a; - y\\ < e}. For any C K" and /i G R+ define [A]^ -.= {a e A \ 
ai = ki^, ki € Tj, i — 1, ...,n}. The set [A]^ will be used in the subsequent developments as an approximation 
of the set A with precision /i. By geometrical considerations on the infinity norm, for any /i G M+ and X > fi/2 
the collection of sets {l3xiq)}qe[R^]^, is a covering of M", i.e. M" C U^gp^j B\{q)\ conversely for any A < ^/2, 



We now recall from |Kha96( ISon98] some notions that will be employed in Sections 2.2 and 2.3 to define 
trajectories and some stability notions for control systems. A function / : [a, b] M" is said to be absolutely 
continuous on [a, b] if for any e G there exists 5 G M+ so that for every fc G N and for every sequence of 
points a < ai < ai < 6i < a2 < 62 < •■• < Ofc < 6fe < b, if Yh=i{^i - cLi) < 5 then YllLi 1/(^0 ~ f{°-t)\ < £■ A 
function / :]a, h\-^ M" is said to be locally absolutely continuous if the restriction of / to any compact subset 
of ]a,b[ is absolutely continuous. Given a measurable function / : Rq M", the (essential) supremum of / 
is denoted by ||/||oo; we recall that ||/|loo := {sss)sup{\\f{t)\\, t > 0}; f is essentially bounded if |j/||oo < 00. 
For a given time t G R^, define fr so that /r(t) = f{t), for any t G [0,t), and f{t) = elsewhere; / is said 
to be locally essentially bounded if for any r G M+, f^ is essentially bounded. A function / : M" — > M is said 
to be radially unbounded if f{x) — )■ 00 as ||x|| 00. A continuous function 7 : Rq — *■ Rq , is said to belong 
to class K. if it is strictly increasing and 7(0) = 0; 7 is said to belong to class /Coo if 7 G /C and 7(r) 00 
as r ^ 00. A continuous function /3 : Rq x Rq Rq is said to belong to class ICC if for each fixed s, the 
map /3(r, s) belongs to class /Coo with respect to r and, for each fixed r, the map /3(r, s) is decreasing with 
respect to s and P{r,s) ^ as s — > 00. The following notions will be used in Sections [s] |4]and[5]to define 
the concept of approximate bisimulation and the symbolic models that we propose in this paper. The identity 
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map on a set A is denoted by lyi. Given two sets A and _B, if ^ is a subset of B we denote hy tj^ : A ^ B 
or simply by i the natural inclusion map taking any a £ A to i(a) = a Cz B. Given a function f : A B the 
symbol f{A) denotes the image of A through /, i.e. f{A) -.^ {b E B : 3a G A s.t. b = f{a)}. We identify a 
relation R C A x B with the map R : A ^ 2^ defined by 6 e R{a) if and only if (a, b) E R. Given a relation 
R C A X B, R^^ denotes the inverse relation of R, i.e. R^^ :— {(&, a) E B x A : {a,b) E R}. 



2.2. Control Systems. The class of control systems that we consider in this paper is formalized in the 
following definition. 

Definition 2.1. A control system is a quadruple E — (E", U,U, /), where: 

• M" is the state space; 

• [/ C M™ is the input space; 

• U is a. subset of the set of all locally essentially bounded functions of time from intervals of the form 
]a, b[C RtoU with a < and & > 0; 

• / : M" xU ^ is a continuous map satisfying the following Lipschitz assumption: for every compact 
set K C M", there exists a constant k > such that \\f{x,u) — f{y,u)\\ < k\\x — y\\, for all x,y E K 
and all u e U. 



A locally absolutely continuous curve x :]a, b[-^ M" is said to be a trajectory of S if there exists vl ElA satisfying 
x(t) = /(x(i), u(t)), for almost all t E ]a, 6[. Although we have defined trajectories over open domains, we 
shall refer to trajectories x :[0,r] ^ M" defined on closed domains [0,r], r E M"*" with the understanding of 
the existence of a trajectory z :]a, M" such that x = z|[o^i-]- We will also write x(f, a;,u) to denote the 
point reached at time t E\a,b[ under the input u from initial condition x; this point is uniquely determined, 
since the assumptions on / ensure existence and uniqueness of trajectories |Son98j . 

A control system S is said to be forward complete if every trajectory is defined on an interval of the form ]a, cx)[. 
Sufficient and necessary conditions for a system to be forward complete can be found in |AS99j . Simpler, but 
only sufficient, conditions for forward completeness are also available in the literature. These include linear 
growth or compact support of the vector field (see e.g. |LM67p . 

2.3. Stability notions. The results presented in this paper will assume certain stability assumptions that 
we briefly recall in this section. 

Definition 2.2. |Ang02| A control system I] is incrementally globally asymptotically stable ( i5-GAS) if it is 
forward complete and there exist a ICC function /3 such that for any t E Mj, any x,y E M" and any u eU the 
following condition is satisfied: 

(2.1) Mt,x,u)-x{t,y,u)\\ <f3{\\x-y\\,t). 



Definition above can be thought of as an incremental version of the classical notion of global asymptotic 
stability (GAS) |Kha96] . 



Definition 2.3. |Ang02| A control system E is incrementally input-to -state stable ((5-ISS) if it is forward 
complete and there exist a ICC function f3 and a /Coo function 7 such that for any t E Rq , any x,y E M" and 
any u, v £ W the following condition is satisfied: 

||x(t,x,u)-x(i,2;,v)|| < /3(||x-j/||,t) + 7(||u-v||^). 

(2.2) 



It is readily seen, by observing ( |2.1[ ) and (2.2 1, that (5-ISS implies (5~GAS, while the converse is not true in 
general (see |Ang02j for some examples). 

In general, inequalities (2.1) and (2.2) are difficult to check directly. Fortunately ^-GAS and 5-ISS can be 



characterized by dissipation inequalities. 
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Definition 2.4. Consider a control system E and a smooth function V : M" x M" M.^ . Function V is called 
a J-GAS Lyapunov function for S, if there exist /Coo functions ai, a-i and p such that: 

(i) for any x,y E M" 

aii\\x-y\\)<V{x,y)<a2i\\x-y\\); 

(ii) for any x,y E M" and any u £ U 

dV dV 

Function V is called a S-ISS Lyapunov function for S, if there exist /Coo functions ai, a2, p and a satisfying 
conditions (i) and: 

(iii) for any x,y Cz M" and any u,v & U 

dV dV 

— /(a;,u) + -Qyfiy^v) < -p{\\x - y\\) + a{\\u- v\\). 

The following result completely characterizes and in terms of existence of Lyapunov functions. 

Theorem 2.5. |Ang02| Consider a control system S = {W^,U,U,f). Then: 

• If U is compact then E is 5~GAS if and only if it admits a 5-GAS Lyapunov function; 

• If U is closed, convex, contains the origin and /(O, 0) = 0, then S is S-ISS if it admits a 6-ISS 
Lyapunov function. Moreover if U is compact, existence of a 5-ISS Lyapunov function is equivalent 
to 5-ISS. 



3. Approximate bisimulation 



In this section we introduce a notion of approximate equivalence upon which all the results in this paper rely. 
We start by introducing the class of transition systems that will be used in this paper as abstract models for 
control systems. 

Definition 3.1. A transition system is a quintuple T = {Q, L, «- , O, H), consisting of: 

• A set of states Q; 

• A set of labels L; 

• A transition relation «- C Q x L x Q; 

• An output set O; 

• An output function H . Q ^ O. 

A transition system T is said to be: 

• metric, if the output set O is equipped with a metric d : O x O — > Mq ; 

• countable, if Q and L are countable sets; 

• finite, if Q and L are finite sets. 

We will follow standard practice and denote an element {q,l,p) G >■ by q — ^ p. Transition systems 

capture dynamics through the transition relation. For any states q,p & Q, q *■ p simply means that it is 

possible to evolve or jump from state q to state p under the action labeled by /. We will use transition systems 
as an abstract representation of control systems. There are several different ways in which control systems can 
be transformed into transition systems. We now describe one of these, which has the property of capturing 
all the information contained in a control system E. 
Given a control system E = (M", U,U, f) define the transition system: 

(3.1) r(E):=(g,L, ^ ,0,H), 
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where: 

• Q = M"; 

• q — ^ p, if x(t, q,u) — p for some t G M+; 

• = M"; 

• = 1e". 

Transition system T(S) is metric when we regard the set O — M" as being equipped with the metric d(p, q) = \\p — q\\ . 
Note that the state space of r(S) is infinite. The aim of this paper is to study existence of countable tran- 
sition systems that are approximately equivalent to T'(S). The notion of equivalence that we consider is the 
one of bisimulation equivalence |Mil89l [ParSlj . Bisimulation relations are standard mechanisms to relate the 
properties of transition systems. Intuitively, a bisimulation relation between a pair of transition systems Ti 
and T2 is a relation between the corresponding state sets explaining how a state trajectory ri of Ti can be 
transformed into a state trajectory r2 of T2 and vice versa. While typical bisimulation relations require that ri 
and r2 are observationally indistinguishable, that is Hiiri) = i?2(''2), we shall relax this by requiring Hi{ri) 
to simply be close to i?2(''2) where closeness is measured with respect to the metric on the output set. The 
following notion has been introduced in |GP07| and in a slightly different formulation in |Tab07aj . 

Definition 3.2. Let Ti — {Qi,Li, — ^-^ ,0,Hi) and T2 = (Q2j-^2i — ^ ,0,H2) be metric transition sys- 
tems with the same output set and metric d, and let e G be a given precision. A relation i? C x Q2 is 
said to be an e~ approximate bisimulation relation between Ti and T2, if for any (qi, ^2) G i?: 

(i) d(iJi(9i),i/2(92)) <e; 

(ii) qi — ^ pi implies existence of q2 — ^ P2 such that (pi,p2) G ^• 

(iii) q2 implies existence of qi — j-^ Pi such that {pi,p2) G R- 

Moreover Ti is e-bisimilar to T2 if there exists an e-approximate bisimulation relation R between Ti and T2 
such that R{Qi) = Q2 and R~^{Q2) = Qi- 

4. Approximate bisimilar symbolic models 

In the following we will work with a sub-transition system of T(E) obtained by selecting those transitions from 
T(5]) that describe trajectories of duration t for some chosen r e M+. This can be seen as a time discretization 
or sampling process. Given a control system S and a parameter t G M'^ define the transition system: 

T,(I]) := (Qi,Li, ,0,,H,), 

where: 

• Qi = M"; 

• Li ^ {li E U \ x(r, X, li) is defined for all x G M"}; 

• q -7* P, if x(T,g,?i) 

• Oi = M"; 

• Hi — 1r™ . 

Transition system T't-(S) is metric when we regard Oi = M" as being equipped with the metric d(p, q) = \\p — q\\. 
Note that the set of labels Li is composed by (only) those control signals of U for which a trajectory of S exists 
for any time t G [0,t] and for any initial condition x G M". Any measurable control input can be included in 
Li when the control system is forward complete. 

In the following we show existence of a countable transition system that is approximately bisimilar to T,-(S), 
provided that S satisfies some stability properties. 

By simple considerations on the infinity norm, for any given precision 77 G M+ we can approximate the state 



6 



GIORDANO POLA, ANTOINE GIRARD AND PAULO TABUADA 



space Qi = M" of T,-(I]) by means of the countable set Q2 W^]ri so that for any x e M" there exists q E Q2 
such that ||a; — q\\ < ■q/2. 

The approximation of the set of labels Li of r^(S) is more involved. We approximate Li by means of the set: 

(4.1) L2 U,eQ,^2(g), 

where -^2(9) captures the set of labels that can be applied at the state q € Q2 oi the symboUc model. The 
definition of L2{q) is based on the notion of reachable sets. Given any state q £ Qi consider the set: 

(4.2) n{T,q) = {peQi:q^ pJiELi}, 

of reachable states of T'r(S) from q. Notice that TZ{T,q) is well defined because of the definition of the set 
of labels Li. We approximate TZ{T,q) by means of a countable set, as follows. Given any precision fj, E M+, 
consider the set: 

V^{t, q) := {y E [M"]^ : 3z E n{T, q) s.t. \\y - z\\ < 
and define the function ■ipj^''^ : V^j,{T,q) Li, that associates to any y E V^{T,q) a label /i = i^J^'^iy) E Li so 



that \\y — x{t, q, li)\\ < fi/2. Notice that the function i/;^'* is not unique. The set ^2(5) appearing in (4.1 1 can 



now be defined by -^2(9) := '0u''('Pa'('''i ?))■ Notice that since ^2(9) is the image through ipj^''' of a countable 



set, it is countable. Therefore L2 as defined in (4.1 1 is countable, as well. Furthermore the set L2 approximates 



the set Li in the sense that given any q E Q2, for any li E Li there exists I2 E L2{q) so that: 

(4.3) MT,q,h)-x{T,q,l2)\\<t^- 

We now have all the ingredients to define a symbolic model that will be used to approximate a control system. 
Given a control system E = {M.",U,U,f), any r E M+, ?; E M+ and /i E M+ define the following transition 
system: 

(4.4) Tr,^A^) :- (Q2, ^2, , O2, H2), 
where: 



Q2 — [K"]^; 
L2 = UgeQ,^2(g); 



• q p,iilE L2{q) and \\p - x(t, q,l)\\ < ij/2; 

• O2 = K"; 

• H2=i:Q2^02. 

We think of Tr.jj.^CS) as a metric transition system where O2 = is equipped with the metric d(p, q) = \\p — q\\ . 
Parameters r E M"*", 77 E M"*" and /i E in T.r.?7./^(S) can be thought of, respectively, as a sampling time, a 
state space and an input space quantization. 

We emphasize that transition system Tt_^_^(S) is countable because the sets Q2 and L2 are countable. Fur- 
thermore if the state space of the control system E is bounded, the corresponding transition system TV ,,_^(E) 
is finite. 

Note that in the definition of the transition relation — ^ we require x(r, q, I) to be in the closed ball Bjj/2{p)- 

We can instead, require x(t, g,^) to be in B\{p) for any A > r]/2. However, we chose A = ry/2 because r]/2 is 
the smallest value of A S K"*" that ensures M" C In fact, this choice of A reduces the number 

of transitions in the definition of the symbolic model in ||'4.4[ ) . 

We can now give the main result of this paper which relates (S-GAS to existence of symbolic model. 

Theorem 4.1. Consider a control system E and any desired precision e E M^. // E is 5-GAS then for any 
T E rj E and /i E satisfying the following inequality: 

(4.5) P{e,T)+^i + r^/2<e, 

the transition system TrCS) is e-hisimilar to rT-_^_p(S). 
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Before giving the proof of this result we point out that if E is (5-GAS, there always exist parameters r e M+, 
rj G and /x € M"*" satisfying condition (4.5). Indeed since /3 is a ICC function, there exists a sufficiently large 
value of T so that /3(e, r) < e; then by choosing sufficiently small values of ^ and 77, condition (4.5 1 is fulfilled. 



Proof. Consider the relation R (- Qi x Q2 defined by {x,q) G i? if and only if — qjl < e. By construc- 
tion R{Qi) — Q2', furthermore Qi ^ Uq2eQ2^v/'ii'l'^) ^^'^ therefore since by ( |4.5| , 77/2 < e, we have that 
R~^{Q2) — Qi- We now show that R is an e-approximate bisimulation relation between Tt{T,) and Tt-_^^^(S). 
Consider any (a;,^/) £ R. Condition (i) in Definition 3.2 is satisfied by definition of R. Let us now show 

that condition (ii) in Definition 3.2 holds. Consider any li e Li and the transition x — y in Tr{T,). Let 

V = x(r, q, h); since M" C IJ^^i 

(4.6) 



l3fj_/2{w), there exists w e [IR"];^ such that: 
\\v - w\\ < ii/2. 

Since v g TZ{T,q), it is clear that w € 'P^{T,q) by definition of Vi^{T,q). Then, let Z2 G -^2(9) be given by 
I2 = ipj^''^{'w). By definition of -0^'' and by setting z = x(t, q, /2), it follows that: 

(4.7) \\w - z\\ < fi/2. 
Since Qi C lJg2gQ2S^/2('i'2), there exists p £ Q2 such that: 

(4.8) \\z-p\\<ij/2. 

Thus, q 

inequalities holds: 

lly — pII = \\y — v + v — w + w — z + z— p\\ 

<^3{\\x-q\\,r) + ^l/2 + ^l/2 + f^/2 
< (3{e,T) + fi + r]/2 < e. 



-f* p in rr,,,,/.(S) and since S is J-GAS and by (|4.6|, (|4.7|, (|4., 



and (4.51, the following chain of 



Hence (2/,p) £ i? and condition (ii) in Definition 3.2 holds. We now show that also condition (iii) holds 



Consider any (x, q) G R, any I2 G L2 and the transition q «- p in Tt-,,,,^(S). By definition of TT.ji,niJ^)'- 



(4.9) <77/2, 

where z — x(r, g, Z2) G Qi- Choose h — h G Li and consider the transition x 



y in Tt(Y,). Since S is 



(5-GAS and by conditions (4.9 1 and (4.5 1, the following chain of inequalities holds: 

\\y~p\\ ^\\y- z + z-p\\< \\y- z\\ + \\z-p\\ 

< Pi\\x - gll, r) + 77/2 < Pie, t) + tj/2 < e. 
Thus {y,p) G R, which completes the proof. 



□ 



Conditions of Theorem 4J_ require the control system E to be globally S-GAS as in Definition |2.2[ However, it is 
easy to see from the above proof that this stability property can be relaxed to hold locally, i.e. for initial states 
x,y G M" satisfying ||a; — y|| < e. Moreover, this stability condition is not far from also being necessary. The 
following counterexample shows that unstable control systems do not admit, in general, countable symbolic 
models. 

Example 4.2. Consider a control system E = {M.,U,U, f), where U = {0}, U = {0}, is the identically 
null input and f{x) — x. System E is unstable and hence not (5-GAS. We now show that for any e G Kq", 
any r G M"*" and any countable transition system T, transition systems T't(S) and T are not e-bisimilar. 

Consider any countable metric transition system T — {Q,L, «- ,M.,H), with H : Q ^ M. and the same 

metric d(p, q) = \\p — q\\ of Tt-(E). Consider any relation R Q Qi x Q satisfying conditions (i), (ii) and (iii) of 
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Definition 3.2 and such that R{Qi) = Q and R^^{Q) = Qi. We now show that such relation R does not exist. 
By countability of T, there exist qo & Q and ccq, j/o G Qi = K such that xq ^ yo, and {xq, qo), (j/o, Qo) G R- Set 



Xfe = e'^'^xo, yk = e^'^yo, for any fc G N. Since ^ yo, by selecting A S M"*" such that Hxq — yo|| > A, we have: 
(4.10) \\xk - yfcll = e-'''\\xo - z/oll > e"^-A,Vfc e N. 

Choose fc' e N so that e'^'' A— e > e. By condition (iii) in Definition ', 



3.2 



and since i?(Qi) = Q and i? (Q) ~ Qi, 



there must exist qk' e Q so that, {xk',qk'), iyk',qk') e -R- Since {xk',qk') e -R, 

(4.11) llxfc. -if(gfeO|| <e. 

By combining inequalities ( 4.10| and (4.11 1 and by definition of fc', we obtain: 

\\H{qk')-yk'\\ > \\xk' - Vk'W - \\xk' - H{qk')\ 

(4.12) > e^'^'A-Oe. 



Inequality (4.121 shows that the pair {yk',qk') G R does not satisfy condition (i) of Definition 3.2 Hence 



there does not exist an e-approximate bisimulation relation between T'r(S) and T and consequently 7V(S) 
and T are not £-bisimilar. 



Theorem 4.1 relates IV(S) to the symbolic model in (4.4 1, whose construction is in general difficult, since it 



requires the computation of reachable sets. In the next section we show that for digital control systems a 
symbolic model can be obtained by quantizing the input space. 



5. Digital control systems 

In this section we specialize the results of the previous section to the case of digital control systems, i.e. control 
systems where control signals are piecewise-constant. In many man made systems, input signals are often 
physically implemented as piecewise-constant signals and this motivates our interest in this class of systems. 
In the following we suppose that the input space U of the considered control system S = (R", U,L(, f) contains 
the origin and that it is a hyper rectangle of the form U :— [ai,6i] x [02,62] x ... x [am,bm\, for some 
Ui < bi,i = 1, 2, m. Furthermore we suppose that control inputs are piecewise-constant; given r G M+, the 
class of inputs that we consider is: 

Ur:^{ueU: u{t) ^ u(0),< G [0,r]}. 

For notational simplicity, we denote by u the control input u (zUr for which u(t) = u, i G [0,t]. 

Let us denote by Tu^CS) the sub-transition system of Tt-(S) where only control inputs in Ur are considered. 

More formally define: 

where: 

• Qi = M"; 

• Li = {li e U \ x(t, X, h) is defined for all x G M"}; 

• q P, if x(r,g,0 =p; 

• Oi= M"; 

Transition system T^^ (E) is metric when we regard O = M" as being equipped with the metric d(p, q) = \\p — q\\ . 
Note that analogously to Tr{T,), transition system Tu^{T,) is not countable. Therefore we now define a suitable 
countable transition system that will approximate Tu^ (E) with any desired precision. 
Given a control system E, any r G M"*", 77 G M"*" and /i G M"*", define the following transition system: 

(5.1) Tr,^A^) := (Q2, ^2, , O2, H2), 



where: 
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[LiU 



• (4-2 

• L2 - 

• <? V. if \\V - x(r, g, /)|| < ?7/2; 

• O2 = K"; 

• H2 = t ■■ Q2 



O2 



Analogously to transition system in (4.4 1, transition system in (5.1 ) is countable. Notice that transition system 



in (5.1) differs from the one in (4.4), (only) in the way that control inputs are approximated. In particular, 



the choice of labels in transition system in (5.1) does not require the knowledge of reachable set associated 



with S. This feature is essential when constructing the symbolic model. The computation of x(r, q, I) can 
be done either analytically or numerically; in the later case, numerical errors can be incorporated in the 
model, as follows. Suppose there exists a parameter v £ Rq so that for any state q E Q2 and control input 
Z £ L2, it is possible to evaluate yi{T^q,l) by means of the numerical solution x(t, g, Z) with precision u, i.e. 
||x(t, g, Z) — x(t, g, Z)|| < v. Then, the transition relation — ^— ^ in the transition system of (5.1), can be 

adapted to this case by requiring that q — ^ p, if \\p — x{t, q, l)\\ < rj/2 — v. In fact: 



5.11 



lb-x(T,g,0|| < ||p-x(T,g,Z)|| + ||x(r,g,0 -x(T,q,/)|| 

and therefore we can recover transition relation — ^ , as defined in transition system 
We can now state the following result that relates J-ISS to the existence of symbolic models for digital control 
systems. 

Theorem 5.1. Consider a control system S and any desired precision e € M+. // E is 6-ISS then for any 
T G R'^ . rj G . and fi G satisfying the following inequality: 

(5.2) p^s,T)+Ji^l)+r^/2<e, 

the transition system Tu^CS) is e-bisimilar to Tr^ri,p,(X')- 



Before giving the proof of this result we point out that, analogously to condition (4.5) of Theorem 
always exist parameters r G M^, rj G M+, and /i G M+ satisfying condition (5.2). 



4.1 



there 



Proof. Consider the relation R C Qi x Q2 define d by (x, g) G i? if and only if ||x — g|| < e. By construction 
R{Qi) = Q2', since Qi C \J^^^Q^B^/2{q2) and by (5.2), ri/2 < e, we have that R~^{Q2) = Qi- We now show 
that R is an e-approximate bisimulation relation between Tu^iY.) and Tt-^^^p(E). Consider any (x,g) G R. 
Condition (i) in Definition 3.2 is satisfied by the definition of R. Let us now show that condition (ii) in 

- y in Tn^{Y.). Consider a label I2 G L2 



Definition 
such that: 



3.2 



holds. Consider any li G Li and the transition x 



h 



(5.3) 



Ih-hW </^, 



and set z — x(r, g, 12). (Notice that such label I2 G £2 exists because the assumptions on U make L2 — [Li]fj. 
non-empty.) For later use notice that since and I2 are constant functions, then \\li — hW = Wh ^^2|loo- 
Since Qi C Uq2G[R"],,'^';/2(5'2), there exists p £ Q2 such that: 



(5.4) 



\\z-p\\<T^/2, 
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and therefore q — 
inequalities holds: 



p in Tt-^^_^(E). Since S is 5-ISS and by (5.3l, (5.4| and (5.2|, the following chain of 



\\y-p\\ 



^\\y- z+ z-p\\< \\y - z\\ + \\z-p\\ 
</3(||x-(7||,r) + 7(11^1 -Z2||oo)+?y/2 
< /3(e, r) + 7(m) + ?7/2 < e. 



(5.5) 

Hence {y,p) E R and condition (ii) in Definition 3.2 holds. We now show that also condition (iii) holds 



Consider any (x, q) E R, I2 E £2 and the transition q — ^ p in Tt- By definition of T7-,,,,^(S) 
(5.6) <77/2, 

where z = x(t, 5,^2) G Qi- Choose li = I2 E Li and consider now the transition x — ^ y in T^y^(S). Since E 

is (5-ISS and by (5.6) and (5.2 1, the chain of inequalities in (5.5 1 holds. Thus (y,_p) G R, which completes the 
proof. □ 



6. Symbolic control design for a pendulum 



One of the simplest mechanical control systems studied in the literature is the pendulum which can be described 
by: 



(6.1) 



Xl 
±2 



X2, 



J sin Xl 



1 



where Xi and X2 are the angular position and velocity of the point mass, u is the torque which represents the 
control variable, g = 9.8 is the gravity acceleration, Z = 5 is the length of the rod, m = 0.5 is the mass and 
A: = 3 is the coefficient of friction. All constants and variables in system E are expressed in the International 
System. We assume that u E U = [—1.5,1.5] and that control inputs of S are piecewise-constant. For 
simplicity we work on the subset X — [—1,1] x [—1,1] of the state space of E 
In order to apply Theorem 



defined by: 



5.1 



we need to check if system E is (5-ISS. Consider the function V 
1 . w r i (AV 

2 Vrn/ 



V{x,y) ^ -{x-y) 



lk_ 
2 m 



lk_ 
2 m 
1 
2 



{x - y). 



2.4 



It is possible to show that V satisfies condition (i) of Definition 
Moreover, by defining for any zi, Z2 E M, 

C{zi,Z2) = (sin(zi) - sin(z2))/(2;i - Z2), 



with ai{r) = 0.49 and a2(r) = 18.51 r^. 



one obtains C„ 



[-1,1] C,{zi,Z2) = 0.84 and C„ 



,1] C(^ii ^2) = 1 and hence: 



dV 
dx 
9 



f{x,u) 



dV 
dy 



.fiy,v) 



l^ — jC{xi,yi){xi - yiY 
2 m t 



C(a;i,2/i)(xi - yi){x2 - ^2) 



1 k 



lk_ 
2m 



{xi - yi) + X2 - y2 



2m 

{u — v) 



{X2 - 2/2)' 



(6.2) 

where a = — 



< -2°'\\x-y\\l + b\u-v\, 



2.4 



4.04 > 0, 6=(2+^) 



is satisfied with p{r) — ar^ and cr(r) — br, and y is a (5-ISS Lyapunov function for S. By Theorem 



> 0. Hence, condition (iii) of Definition 

we 



conclude that the control system S is (5-ISS. Using inequality (6.2 1, the definition of V and the comparison 

It-- 



2.5 



lemma |Kha96j . it is possible to show that for any x,y E X, any u,v E U and any time t E 

\\x{t,x,u) ~x{t,y,v)\\ < P{\\x-y\\ ,t) + '^{\\u - v\\oc), 
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where P{r,s) := 6.17 e" 



-2.08 



and 7(r) :— \/3.96 r for any r, s G M. Functions (3 and 7 are respectively JCC 



and /Coo functions and thus inequality (2.2) is satisfied. We now have all the ingredients to apply Theorem 



5.1 Condition (5.2 1 becomes: 



(6.3) 



6.17 e-2 "8^£+ ^3.96 At + ?7/2 < £■ 



For a precision e = 0.25 we can choose rj — 0.4, r = 2 and = 1.5 • 10 so that inequality (6.3 1 is satisfied. 
The resulting transition system: 

(6.4) r,,,,^(s) = (Q2, i2, , O2, i?2), 

is defined by: 

• Q2 = {-277, 0, ?7, 27]} X {-277, -r;, 0, 77, 2ry}; 

• L2 = [c^li.5-10-''; 



is depicted in Figure jlj 



• 02 = X- 

• H2 ^ t: Q2 ^ O2, 



and shown in 



trajectories of S 



Figure jlj 



where the transition relation 



has been obtained by numerically integrating the 




Figure 1. Symbolic model T'2^o.4,i-5 io-''(^) associated with the control system E of (6.1 1. 
A state {rii,Tjj) in T2 0.4,1.5.10-'' (S) with i,j = —2,-1,0,1,2 corresponds to the state 5(1 + 
2) + j + 3 in the above picture. 



We now illustrate the use of the symbolic model (6.4 1 for controller synthesis. Suppose that our objective 
is to design a controller enforcing an alternation between two different periodic motions denoted by Pi and 
P2. Periodic motion Pi requires the state of E to cycle between (—77,0) and (0,0) while periodic motion P2 
requires the state to cycle between (-77,0) and (7;, 0). The control objective is then the design of a controller 
that enforces system E to satisfy a specification P requiring the execution of the sequence of periodic motions 
Pi, Pi, P2, Pi, Pi- This specification is a simple illustration of more complex control objectives that typically 
require different sequencing of actions in response to exogenous events such as faults or to events triggered by 
the violation of certain thresholds on the continuous state. This kind of specifications will naturally result in 
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a hybrid controller combining the continuous inputs necessary to drive the continuous state with the discrete 
logic responsible for executing the right sequence of actions in response to different conditions. A control 
strategy for periodic motions Pi and P2 can be obtained by performing a simple searclj^on 12 o.4,i.5 io-'4(5^) 
or by using standard methods in the context of supervisory control |RW87j or algorithmic approaches to game 
theory |AVW03j . One possible solution enforcing Pi is: 

(-77,0) ^ (0,0) ^ (-77,0), 

and for P2 is: 

(-77,0) ^ (0,77) ^ (77,0) ^ (0,-77) — (-77,0). 
A control strategy that enforces the specification P can be obtained by concatenating the trajectories associated 
with Pi, Pi, P2, Pi and Pi, resulting in: 

(-77,0) ^ (0,0) ^ (-77,0) ^ (0,0) ^ (-r;,0) 
^ (0,77) ^ (77,0) ^ (0,-r;) ^ (-77,0) 
1^ (0,0) ^ (-77,0) ^ (0,0) ^ (-r;,0). 



Since by Theorem 5.1 72 0.4,1.5.10-4(2) is 0.25-bisimilar to Tif^{Y,), the notion of approximate bisimulation 
guarantees that the controller synthesized on 72 0.4,1.5.10-4(2), will enforce the desired behavior on E with an 
error of at most 0.25. Figure |2] shows the evolution of the state variables of S, when applying such control 
strategy. It is easy to see that at each time ir with i — I, 12 the state variables xi and X2 are within the 
interval marked in red, which represents the desired precision e = 0.25. For example, at time t — 2t = A the 
angular position xi of system E is in the interval —77 -I- [— e,e] = [—0.65,-0.15], as required by Pi and the 
approximation error e. Although we could have designed continuous controllers enforcing Pi and P2 and then 
devise a switching logic enforcing specification P, as is currently done in practice, we could not guarantee 
what would happen to the closed loop system due to the difficulty in analyzing the combination of continuous 
controllers with switching logic (see e.g. |Lib03j ). On the contrary, the methodology that we propose offers a 
systematic controller design process that requires reduced user inter vents. 

7. Discussion 

The work presented in this paper compares as follows with the available results of the research lines recalled 
in the introduction. 

Simulation/bisimulation: The results in this paper follow the research line of |Tab07aj and provide impor- 
tant generalizations: 

(i) The definition of the symbolic model in [Tab07aj relies on an (arbitrary) a-priori choice of control inputs, 



while the symbolic model in (4.4 1 captures the effect of any measurable control input; 

(ii) The approximation notion employed in |Tab07aj is approximate simulatioij^ while the results in this paper 
guarantee the stronger notion of approximate bisimulation. 

These generalizations are quite important from the controller synthesis point of view. The main drawback of 
the results in |Tab07aj is that if a controller fails to exist for the symbolic model, nothing can be concluded 
regarding the existence of a controller for the original control system. Our results guarantee, instead, that 
given a control system and a specification, a controller exists for the original model if and only if a controller 
exists for the symbolic model. Notice that while ^-GAS implies asymptotic stabilizability as employed in The- 
orem 2 of |Tab07a] . the converse is not true in generaQ Furthermore even if a feedback control law rendering 
the closed-loop system (5-GAS were found, if the input space of the control system is bounded, there is no 



"'^States (—77,0), (0,0), (0,r)), (r),0) and (0,—?;) involved in the specifications Pi and P2, correspond respectively to states 8, 
13, 14, 18 and 12 in Figure m 

^ We recall from IGP07I that an e-approximate simulation relation from Ti to T2 is a relation R which satisfies conditions (i) 
and (ii) in Definition 3.2 

''in fact the converse is true in the case of linear control systems. 
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2 4 6 8 10 12 14 16 18 20 22 24 
t 



Figure 2. Upper and medium panels: trajectory of (xi, X2), with initial condition (—77, 0) and 
control strategy synthesized on T2 o.4,i.5.io-*(^)- Vertical intervals marked in red represent 
the precision e = 0.25 that we require. Lower panel: Control strategy synthesized on 

^2,0.4,1.5-10-*(^)- 



guarantee that such feedback would satisfy the input constraints. 

The results in this paper share similar ideas with the ones in |Gir07] that considers discrete-time linear control 
systems. When we regard discrete-time control systems as the time discretization of continuous-time control 



systems, Theorem 5.1 extends Theorem 4 of |Gir07| in two directions: 

(i) by enlarging the class of control systems from linear to nonlinear; 

(ii) by enlarging the class of input signals from piecewise-constant to measurable. 

When specializing results of this paper to the class of linear control systems, conditions of Theorems 4.1 and 
|5.1| simplify. In fact given a linear control system: 

x = Ax + Bu, a; e M", ugU C M™, 

the notions of (5-GAS and ^-ISS reduce to asymptotic stability of matrix A and functions /3 and 7 appearing 
in inequalities (2.11 and ( |2.2| can be chosen as: 

(7.1) 0(r,s) = lle-^llr; ^(r) = ( \\B\\ H We^'Wdi 



where ||e^*|| denotes the infinity norm of the matrisQe^". The use of explicit expressions in (^7.l| for /3 and 
7 simplifies indeed the search of parameters r, 77 and /i satisfying conditions of Theorems |4.1| and |5.1| and 
hence the construction of symbolic models in ( |4.4| and ( |5.1| . Furthermore, in contrast to the nonlinear case, 
the construction of the symbolic models can be performed even for non-constant inputs. This can be done by 
using results on polytopic approximation of reachable sets for linear control systems (see e.g. |Var98| . |Gir05| ) 
with compact input space. It is known from |Var98j that for any desired precision ly E M+, the reachable set 
TZ{T,q) of ( |4.2[ ) can be approximated by a polytope P{T,q), so that dh{P{T,q),7i{T,q)) < v, where d/j is the 
HausdorfF pseudo-metric ^ induced by the metric d. The countable set 'P^{T,q), can then be reformulated in 
terms of P(t, q) rather than of 7?.(r, q), as follows: 

V^{t, q) := {y G [W\ : 3z G P(t, q) s.t. \\y - z\\ < ^i/2}. 



'^Fov M = {ruij} e K"> 
^We recall that for 



any Xi.Xa C M", dh(Xi , Xa) := max{d,,(Xi , Xa), 4(^2, Xi)}, 



vhorc dh(Xi,X2) 
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The symbolic model in (4.4 1 can be adapted to the case of linear systems by defining the set ^2(9) by: 
(7.2) 

and the transition relation ► by: 



(7.3) 



if ||p-x(t,<7,0)-?|| <r7/2. 



Since the sets P{T,q) and ^2(9) can be computed the symbolic model (4.4) with -^2(9) given by (7.2| and 



given by (|7.3|, can be constructed. Finally condition (|4.5| of Theorem 



4.1 



can be adapted to this case, 

resulting in ||e'*'^||e + + /i + 77/2 < e. 

Quantized control systems: In |BMP02[ IBMP06] finite abstractions of quantized control systems are 
studied. In particular, conditions on the systems parameters and on the input set are found so that the 
resulting abstraction is characterized by a lattice structure in the set TZ of reachable states. Our results 
ensure, under the (5-ISS assumption, existence of a lattice approximating TZ, independently from the system 
parameters and input set. More precisely a direct consequence of Theorem [STT] is that if a digital control system 
S is (5-ISS then any state x € TZ can be approximated with any desired precision e € M+, by a (symbolic) 
state q S so that ||a; — q\\ < e/2. However, while our results guarantee to approximate TZ by the lattice 

[K"]^ with any (arbitrarily small) precision e E M+, results established in |BMP02[ IBMP06] guarantee that TZ 
is exactly a lattice. 

Qualitative reasoning and Stochastic automata: Symbolic models have been also proposed in the 
framework of qualitative reasoning (see e.g. |RK03[|Kui94] ) and in the stochastic automata based abstraction 
of |LN01I ISch03] . In both approaches the proposed models are characterized by a "completeness" property 
under which, any trajectory of the control system can be mimicked by a trajectory of the proposed symbolic 
models. On the other hand, for any trajectory of the symbolic models there may not exist a corresponding 
matching trajectory in the control systems. In both approaches no stability assumptions are needed to ensure 
the completeness property. An interpretation in terms of bisimulation theory, is that these results guarantee 
existence of a surjective exact simulation relatioij^from the control systems to the symbolic models. However, 
analogously to the results in |Tab07aj the main drawback of these approaches is that if a controller fails to 
exist for the proposed symbolic models, nothing can be concluded regarding the existence of a controller for 
the original control system. As pointed out before, this drawback can be overcome by considering a notion of 



approximate bisimulation, whose existence is ensured by (5-ISS of the control system (see Theorem 5.1 1 



The results in Section |5] provide a first step towards the effective computation of symbolic models for digital 
control systems. However, further work is required towards the design of efficient algorithms for constructing 
the symbolic model proposed in (5.1 1. In particular, the main critical issues are related with: 



(i) the choice of parameters r, 77, /i, which translates, by inequality (5.2 1, in finding a (5-ISS Lyapunov function 
for the control system; 

(ii) the cardinality of Q2 and L2, which increases exponentially with the dimension of the state and input 
spaces of the control system. 

The computation of (5-ISS Lyapunov functions is in general a hard task. However, one can resort to numerical 
tools available in the literature, as for example the one proposed in |PPP02] . Furthermore, a way for mitigating 
the exponential grow in the sizes of Q2 and L2 is to adapt techniques from on-the-fly verification of transition 
systems |TA99] to the construction of the proposed symbolic models. This will be the object of future 
investigations. 
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